[U-Boot] [PATCH 0/8] Initial integration of AVB2.0

Alex Deymo deymo+ at google.com
Thu Apr 26 18:35:54 UTC 2018


Hi Kever,
  libavb and libavb_ab are different things, and we split them for a
reason. Adding libavb is great, but you don't need to add libavb_ab as an
A/B implementation. The boot_android command referenced by Igor doesn't use
that as an A/B implementation, but uses the structs already defined in
the Boot Control Block (BCB) and the android bootloader flow. I would
recommend to include the libavb only.

Igor,
What changes did you need to do to libavb to import it to U-Boot? The idea
with libavb is that it should be easy to integrate into your bootloader
without changes; and therefore easy to update and integrate new patches
when we release new versions of libavb. We would like to avoid diverting
from it to reduce the maintenance cost.

Best regards,
Alex


Le jeu. 26 avr. 2018 à 05:05, Kever Yang <kever.yang at rock-chips.com> a
écrit :

> Hi Igor,
>
>     It's great to see the patch set to support AVB2.0, the upstream
> libavb(from aosp) combine the AVB with A/B which I think should be
> two separate feature, are you going to split them?
>
>     BTW, do you have plan to update boot_android cmd to support avb?
> the command is too weak for use now.
> And any plan to add opptee_client/smcc to talk to OPTEE/ATF?
>
> Thanks,
> - Kever
> On 04/25/2018 09:17 PM, Igor Opaniuk wrote:
> > This series of patches introduces support of Android Verified Boot 2.0,
> > which provides integrity checking of Android partitions on MMC.
> >
> > It integrates libavb/libavb_ab into the U-boot, provides implementation
> of
> > AvbOps, subset of `avb` commands to run verification chain (and for
> debugging
> > purposes), and it enables AVB2.0 verification on AM57xx HS SoC by
> default.
> >
> > Currently, there is still no support for verification of A/B boot slots
> > and no rollback protection (for storing rollback indexes
> > there are plans to use eMMC RPMB)
> >
> > Libavb/libavb_ab will be deviated from AOSP upstream in the future,
> > that's why minimal amount of changes were introduced into the lib
> sources,
> > so checkpatch may fail.
> >
> > For additional details check [1] AVB 2.0 README and doc/README.avb2,
> which
> > is a part of this patchset.
> >
> > [1]
> https://android.googlesource.com/platform/external/avb/+/master/README.md
> >
> > Igor Opaniuk (8):
> >   avb2.0: add Android Verified Boot 2.0 libraries
> >   avb2.0: integrate avb 2.0 into the build system
> >   avb2.0: implement AVB ops
> >   cmd: avb2.0: avb command for performing verification
> >   avb2.0: add boot states and dm-verity support
> >   am57xx_hs: avb2.0: add support of AVB 2.0
> >   test/py: avb2.0: add tests for avb commands
> >   doc: avb2.0: add README about AVB2.0 integration
> >
> >  cmd/Kconfig                                  |   15 +
> >  cmd/Makefile                                 |    3 +
> >  cmd/avb.c                                    |  366 ++++++++
> >  common/Makefile                              |    2 +
> >  common/avb_verify.c                          |  748 ++++++++++++++++
> >  configs/am57xx_hs_evm_defconfig              |    3 +
> >  doc/README.avb2                              |  100 +++
> >  include/avb/avb_ab_flow.h                    |  235 ++++++
> >  include/avb/avb_ab_ops.h                     |   61 ++
> >  include/avb/avb_chain_partition_descriptor.h |   54 ++
> >  include/avb/avb_crypto.h                     |  147 ++++
> >  include/avb/avb_descriptor.h                 |  113 +++
> >  include/avb/avb_footer.h                     |   68 ++
> >  include/avb/avb_hash_descriptor.h            |   55 ++
> >  include/avb/avb_hashtree_descriptor.h        |   65 ++
> >  include/avb/avb_kernel_cmdline_descriptor.h  |   63 ++
> >  include/avb/avb_ops.h                        |  196 +++++
> >  include/avb/avb_property_descriptor.h        |   89 ++
> >  include/avb/avb_rsa.h                        |   55 ++
> >  include/avb/avb_sha.h                        |   72 ++
> >  include/avb/avb_slot_verify.h                |  239 ++++++
> >  include/avb/avb_sysdeps.h                    |   97 +++
> >  include/avb/avb_util.h                       |  259 ++++++
> >  include/avb/avb_vbmeta_image.h               |  272 ++++++
> >  include/avb/avb_version.h                    |   45 +
> >  include/avb/libavb.h                         |   32 +
> >  include/avb/libavb_ab.h                      |   22 +
> >  include/avb_verify.h                         |   97 +++
> >  include/configs/am57xx_evm.h                 |   11 +
> >  include/environment/ti/boot.h                |   15 +
> >  lib/Kconfig                                  |   20 +
> >  lib/Makefile                                 |    2 +
> >  lib/libavb/Makefile                          |   15 +
> >  lib/libavb/avb_chain_partition_descriptor.c  |   46 +
> >  lib/libavb/avb_crypto.c                      |  355 ++++++++
> >  lib/libavb/avb_descriptor.c                  |  142 ++++
> >  lib/libavb/avb_footer.c                      |   36 +
> >  lib/libavb/avb_hash_descriptor.c             |   43 +
> >  lib/libavb/avb_hashtree_descriptor.c         |   51 ++
> >  lib/libavb/avb_kernel_cmdline_descriptor.c   |   40 +
> >  lib/libavb/avb_property_descriptor.c         |  167 ++++
> >  lib/libavb/avb_rsa.c                         |  277 ++++++
> >  lib/libavb/avb_sha256.c                      |  364 ++++++++
> >  lib/libavb/avb_sha512.c                      |  362 ++++++++
> >  lib/libavb/avb_slot_verify.c                 | 1169
> ++++++++++++++++++++++++++
> >  lib/libavb/avb_sysdeps_posix.c               |   57 ++
> >  lib/libavb/avb_util.c                        |  385 +++++++++
> >  lib/libavb/avb_vbmeta_image.c                |  290 +++++++
> >  lib/libavb/avb_version.c                     |   16 +
> >  lib/libavb_ab/Makefile                       |    9 +
> >  lib/libavb_ab/avb_ab_flow.c                  |  502 +++++++++++
> >  test/py/tests/test_avb.py                    |  111 +++
> >  52 files changed, 8058 insertions(+)
> >  create mode 100644 cmd/avb.c
> >  create mode 100644 common/avb_verify.c
> >  create mode 100644 doc/README.avb2
> >  create mode 100644 include/avb/avb_ab_flow.h
> >  create mode 100644 include/avb/avb_ab_ops.h
> >  create mode 100644 include/avb/avb_chain_partition_descriptor.h
> >  create mode 100644 include/avb/avb_crypto.h
> >  create mode 100644 include/avb/avb_descriptor.h
> >  create mode 100644 include/avb/avb_footer.h
> >  create mode 100644 include/avb/avb_hash_descriptor.h
> >  create mode 100644 include/avb/avb_hashtree_descriptor.h
> >  create mode 100644 include/avb/avb_kernel_cmdline_descriptor.h
> >  create mode 100644 include/avb/avb_ops.h
> >  create mode 100644 include/avb/avb_property_descriptor.h
> >  create mode 100644 include/avb/avb_rsa.h
> >  create mode 100644 include/avb/avb_sha.h
> >  create mode 100644 include/avb/avb_slot_verify.h
> >  create mode 100644 include/avb/avb_sysdeps.h
> >  create mode 100644 include/avb/avb_util.h
> >  create mode 100644 include/avb/avb_vbmeta_image.h
> >  create mode 100644 include/avb/avb_version.h
> >  create mode 100644 include/avb/libavb.h
> >  create mode 100644 include/avb/libavb_ab.h
> >  create mode 100644 include/avb_verify.h
> >  create mode 100644 lib/libavb/Makefile
> >  create mode 100644 lib/libavb/avb_chain_partition_descriptor.c
> >  create mode 100644 lib/libavb/avb_crypto.c
> >  create mode 100644 lib/libavb/avb_descriptor.c
> >  create mode 100644 lib/libavb/avb_footer.c
> >  create mode 100644 lib/libavb/avb_hash_descriptor.c
> >  create mode 100644 lib/libavb/avb_hashtree_descriptor.c
> >  create mode 100644 lib/libavb/avb_kernel_cmdline_descriptor.c
> >  create mode 100644 lib/libavb/avb_property_descriptor.c
> >  create mode 100644 lib/libavb/avb_rsa.c
> >  create mode 100644 lib/libavb/avb_sha256.c
> >  create mode 100644 lib/libavb/avb_sha512.c
> >  create mode 100644 lib/libavb/avb_slot_verify.c
> >  create mode 100644 lib/libavb/avb_sysdeps_posix.c
> >  create mode 100644 lib/libavb/avb_util.c
> >  create mode 100644 lib/libavb/avb_vbmeta_image.c
> >  create mode 100644 lib/libavb/avb_version.c
> >  create mode 100644 lib/libavb_ab/Makefile
> >  create mode 100644 lib/libavb_ab/avb_ab_flow.c
> >  create mode 100644 test/py/tests/test_avb.py
> >
>
>
> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> https://lists.denx.de/listinfo/u-boot
>


More information about the U-Boot mailing list